Introduction to Threat Analysis

A threat is an impending event that is harmful. Something that is impending and harmful to one entity may not be to another. A 6.0 magnitude earthquake is harmful. Whether an earthquake is impending or not is dependent on location. According the U.S. Geological Survey there is a 90% probability of a 6.0 or greater magnitude earthquake occurring in the San Francisco Bay region before 2037. There is a 0% probability of a similar magnitude earthquake occurring in Bismarck, North Dakota, during the same period. Earthquakes are a threat to those who live in San Francisco. They are not a threat to those who live in Bismarck.

Just as threat of earthquake varies by location, many threats to information systems vary by entity and by system. Consider the threat of Internet denial of service within the context of two organizations – an on-line gambling company and a local bakery. A denial of service attack against the Internet-facing gambling systems would negatively impact the owner’s revenue, particularly when approaching the time of a major sporting event. Denial of service is likely to occur to the systems as malicious actors know that they can often extort money from the system owners in return for not DoS’ing their systems. It is a threat to owners of on-line gambling systems because it is harmful and it is likely to occur.

Denial of service is not a threat to the owner of a local bakery whose revenue is not dependent on its Internet-facing systems. Were the attack to occur, the system owner would likely not notice the attack for an extended period of time. If she were to notice the attack, she would likely consider it an annoyance at most. Further, denial of service against her systems is not likely to occur because malicious actors have no rational motivation for doing so – no financial reward, no reputation reward.

Threat analysis is a method of determining the significance of various threats to your entity and your specific information systems and deciding how to address the threats.